Skip to content

Avoiding “$f2bV_matches” in fail2ban reports to AbuseIPDB

I just set up AbuseIPDB with one of my fail2ban instances, mostly just out of curiosity and because it seemed simple enough. However, following that guide with an old-ish version of fail2ban made me end up with “$f2bV_matches” as a report comment, which doesn’t look too good.

A quick search led me to this Github issue, which is quite a long read and a bit confusing. But long story short, there was a bug in the provided “action.d/abuseipdb.conf” configuration file, prior to a somewhat unclear fail2ban version (0.10.3?). Note that I suspect it could apply to a later version if you somehow keep installed configuration files when upgrading.

Anyhow, since it’s all in that configuration file, you can just grab the appropriate line in the fixed version, which I’ll copy here as well:
actionban = lgm=$(printf '%%.1000s\n...' "<matches>"); curl -sSf "" -H "Accept: application/json" -H "Key: <abuseipdb_apikey>" --data-urlencode "comment=$lgm" --data-urlencode "ip=<ip>" --data "categories=<abuseipdb_category>"
Then put that line as a replacement of the existing one in /etc/fail2ban/action.d/abuseipdb.conf
Note that while you’re at it, you can set your API key in this file as well (abuseipdb_apikey = ... at the very bottom). This way, you don’t have to put it in every single jail, which helps make things more readable and maintainable, IMO.

And that’s about it, if you’ve followed the rest of the setup instructions provided by AbuseIPDB. Don’t forget to at least reload fail2ban (sudo systemctl reload fail2ban), although for me it seemed that something restarting it worked better (in such case, don’t forget that it may submit duplicate reports, which you should delete)

A few other useful commands (mostly for my own copy-pasting convenience 👀):

sudo tail /var/log/fail2ban.log
sudo tail /var/log/fail2ban.log > /home/export.txt
sudo tail /var/log/auth.log
sudo nano /etc/fail2ban/fail2ban.local
sudo nano /etc/fail2ban/jail.conf

And while I’m at it, let’s get that contributor badge going (I hope it works with subdomains) (edit: yes it does):

AbuseIPDB Contributor Badge

Update 2024-03-19

If getting fail2ban [490]: ERROR Failed during configuration: Have not found any log file for sshd jail, it probably means logs are not being written to /var/log/auth.log because syslog was not installed. A fix could be to either install syslog (or rsyslog), or to configure fail2ban to use systemd as a backend, by adding backend = systemd to the jail configuration. Cf also this ticket on Github.

Some more useful commands

sudo systemctl status fail2ban
sudo systemctl status ssh.service
sudo apt policy openssh-server
sudo fail2ban-client unban --all

Last but not least, make sure these packages are installed, otherwise the ban jail will fail to execute fully:

  • iptables
  • curl

Posted in servers, web filtering.

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Some HTML is OK

or, reply to this post via trackback.

Sorry about the CAPTCHA that requires JS. If you really don't want to enable JS and still want to comment, you can send me your comment via e-mail and I'll post it for you.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA